Description
Prism (aka PrismJS) through 1.29.0 allows DOM Clobbering (with resultant XSS for untrusted input that contains HTML but does not directly contain JavaScript), because document.currentScript lookup can be shadowed by attacker-injected HTML elements.
Recommendation
Update the prismjs package to the latest compatible version. Followings are version details:
- Affected version(s): < 1.30.0
- Patched version(s): 1.30.0
References
Related Issues
- qs vulnerable to Prototype Pollution - CVE-2022-24999
- DOS by abusing `fetchOptions.retry`. - CVE-2023-49800
- Prototype Pollution in querystringify - Vulnerability
- Prototype Pollution in NASA Open MCT - CVE-2023-45282
- Tags:
- npm
- prismjs
Anything's wrong? Let us know Last updated on June 30, 2025